Regulation S-P Establishes Data Breach Notification and Planning Requirements
On May 16th, the U.S. Securities and Exchange Commission (SEC) adopted amendments to Regulation S-P. The amendments are intended to provide investors with greater privacy protections and transparency into data breaches by creating new requirements for how broker-dealers, investment companies, transfer agents, and registered investment advisers prepare for, respond to, and recover from data breaches and cybersecurity incidents that allow unauthorized access to sensitive customer information.
The SEC defines sensitive customer information as “any component of customer information alone or in conjunction with any other information, the compromise of which could create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information.”
Rule requirements
The amendments will require covered entities to:
- Establish an incident response program – The amendment will require firms to build and maintain written policies and procedures that are reasonably designed to “detect, respond to, and recover from unauthorized access to or use of consumer information.” This will include the creation of an incident response program that is able to assess the nature and scope of data privacy incidents as well as take appropriate action to contain and control the incidents.
- Adopt a process for incident notification – The incident response program will be required to notify all individuals that have been impacted, or could reasonably be expected to have been impacted by the incident, within 30 days of the incident being discovered. If the firm is unable to determine which individuals were impacted by the incident, the amendment requires that the firm notify all customers who could have been impacted by the incident.
- Make and keep compliance records – The amendments require covered entities (except funding portals) to document policies and procedures for Regulation S-P's requirements around the proper safeguarding and disposal of sensitive customer information.
One of the amendments also broadens the scope of information that is covered by Regulation S-P to include non-public customer information that is transferred to the covered firm via other institutions.
The rule will come into force 18 months after its publication in the Federal Register, and 24 months for smaller firms.
Our guidance
Many firms have very good cybersecurity programs, but they may not be well documented. This rule formalizes the SEC’s expectations around what they are looking for in a cybersecurity program. Firms should consider taking the following steps now to prepare:
- Review the firm's current incident response plan to make sure it complies with the rule’s requirements.
- Conduct tabletop/scenario exercises to ensure staff are aware of how to respond to incidents that expose non-public customer information.
- Ensure proper due diligence, monitoring, and oversight of vendors that have access to the firm’s sensitive customer information, and that the incident response program has built out the proper policies and procedures to support these activities.
- Establish and/or review the firm’s data classification policies to ensure data that meets the SEC’s definition of sensitive customer information receives the proper protection and is handled appropriately.
- Inventory the firm’s customer data to ensure the proper controls and safeguards for sensitive customer information are consistently applied, and to improve the speed at which the firm can potentially identify unauthorized access.
How we help
ACA Aponix® can help your firm build your cybersecurity program and strengthen your line of defense against cyberattacks. Our services include:
- Aponix ProtectTM is a cybersecurity and technology risk solution that helps you build a comprehensive risk management program tailored to your business needs.
- ACA Signature combines cybersecurity with compliance advisory services, innovative technology and managed services for a scalable solution that can help you gain expert insight, guidance, and support as you navigate emerging challenges.
Reach out to your ACA consultant, or contact us to find out how ACA can help secure your firm against cyber threats and comply with regulatory expectations.
Related insights
National Counterintelligence and Security Center Warns Against Use of Investments by Foreign Adversaries
The U.S. National Counterintelligence and Security Center published a bulletin warning that foreign threat actors may use private investments – such as venture capital and private equity – to exploit tech startups, presenting a potential threat to economic and national security. Learn more about how to navigate this concern.
- AML and Financial Crime
- Cybersecurity
- Portfolio Company Risk Management
- Private Fund
Building a Value-Generating Cybersecurity Portfolio Oversight Program
It has become imperative that private equity firms institute a programmatic approach to portfolio oversight, meaning oversight that is formally governed, applied consistently, and grows valuations.
- Cybersecurity
- Cybersecurity Resources
- Portfolio Company Risk Management
CrowdStrike Outage and Options for Remediation
An automated update released by CrowdStrike overnight had a technical issue that caused Windows devices receiving the update to crash.
- Cybersecurity
- Compliance